How secure is OneDrive?
If you’re using OneDrive, you’re using Microsoft’s service to upload and share your files in their cloud. In this article, we’ll examine which data protection and security measures Microsoft implements for its cloud service.
Is OneDrive secure?
Microsoft has stated that they use end-to-end encryption with AES 256-bit standard for uploads, downloads and backups.
They also add another layer of security to OneDrive with two-factor authentication and the SSL/TLS encryption standard. Despite offering rather robust data security through good encryption, one can’t completely close out the possibility of third parties accessing data. Microsoft does not offer zero-knowledge encryption, giving Microsoft developers and the US government, if needed; access to data stored in OneDrive.
What is OneDrive?
With OneDrive, you can store and organise your files, documents and other types of data (e.g. contacts, notes, passwords or photos) in Microsoft’s cloud. OneDrive is available for all Windows systems, but you need a Microsoft account to use it. Anyone who uses Microsoft 365 automatically has access to OneDrive.
You can choose to synchronise your OneDrive files across all your devices or for selected apps and devices only. You can also create automatic backups and collaborate with others on the files by using sharing options. OneDrive has another advantage: it comes with 5 GB of free cloud storage.
How is OneDrive encrypted?
Detailed information about Microsoft’s security measures for OneDrive can be found on Microsoft’s website. Microsoft uses the AES 256-bit encryption standard for data protection and security. It would take several billion years to crack such an encryption, even with a supercomputer. AES 256-bit is an encryption method that is sufficient enough to protect your data against large-scale brute-force attacks. For additional security and encryption during data transfer between client and server, Microsoft uses the TLS encryption standard as well. However, Microsoft doesn’t offer zero-knowledge encryption, meaning that the encryption key still stays in Microsoft’s hands.
Data access rights in OneDrive
As a OneDrive user, you still have considerable power when determining who can access your OneDrive files. Similar to Google Drive, OneDrive gives you the ability to grant reading, viewing and editing rights to people. You can do this via the Share menu for each of your folders or files. Once you have selected a specific person or group of people, you can provide access to the document via a shareable link or by sending an email. You can edit or delete any of these right at any time.
While Microsoft does potentially have access to your data in OneDrive, the company has emphasised that zero standing access means their developers can only access your data in exceptional cases. Such instances require explicit permission and are carried out under increased security and maintenance requirements.
One exception, however, applies to US governmental agencies. As an American company, Microsoft is legally required to grant access to OneDrive data if a US authority has a legitimate request. Laws such as the Cloud Act, the Patriot Act and the Foreign Intelligence Surveillance Act (FISA) give authorities the right to view and collect data of private citizens. This, however, is a rather rare occurrence.
OneDrive and the Cloud Act
The Cloud Act was passed in 2018 and significantly expands the rights of US authorities to monitor their citizens as well as all companies operating within its borders. US companies like Microsoft are required by law to share data with governmental agencies, even if the data is located on servers abroad. In order to access such data, the US government needs to have a warrant. There are some rare occasions though where a warrant or a subpoena is not required.
These new, wider-reaching surveillance rights have caused concern in Europe. In 2020, the European Court of Justice declared the EU-US Privacy Shield invalid, as the USA no longer meets European data protection standards. Previously, the Privacy Shield ensured a secure transfer of data from the EU to the US. It has yet (as of November 2022) to be replaced by any new legislation.
Certain states such as California and Virginia have passed their own data privacy acts that compel any companies offering services to their residents to comply with their data sovereignty laws.
How secure is OneDrive against cyberattacks?
Although Microsoft OneDrive is not perfect, it still offers solid, reliable data security, especially if you’re using their cloud storage service for personal files or to back up data that isn’t mission critical. Companies should opt for the storage service OneDrive for Business.
OneDrive offers the following protection measures against cyber-attacks:
- Password protection with a secure password
- Two-factor authentication
- AES 256-bit encryption
- TLS encryption
- Zero standing access
- Network protection through isolated networks and firewalls
- Mobile encryption of data with the OneDrive app
- Account recovery (using email, phone number or security question)
- Account notifications for suspicious logins
- Spam filtering for OneDrive mail and virus scanning through Microsoft Defender
- Ransomware protection (with Microsoft 365)
- Personal OneDrive vault
- Highly secure data centres
- Automatic backups
- Synchronisation of data with connected devices
- Automatically scanning updates for malware or illegal content
- End-to-end encryption for backups, uploads and downloads
Where are OneDrive servers located?
Microsoft hosts their data in data centres in the United States, Asia and the European Union. You can see where your data is hosted in the settings of Microsoft Office 365. The data of OneDrive for Business customers located in the US is hosted in one of four different locations within the US It’s not possible to choose a specific data centre for storing your company’s data.
The European Union’s data privacy law, the GDPR, legislates high standards of data privacy and security. Cloud storage providers located in Germany and Switzerland are among the most secure in the world.
Want more protection for your data than provided under US law? Need to be compliant with GDPR requirements in the European Union? HiDrive cloud storage from IONOS is a viable option. Your data will be fully encrypted and stored securely in our certified data centres in the US and Europe You can also choose the location of the data centre to ensure GDPR compliance, if needed.
Is OneDrive compliant with the GDPR?
If you do business in the EU, you need to comply with the GDPR when storing and using customer data. Since OneDrive can transfer data to servers located in the US without the Privacy Shield agreement as well as to servers in non-EU countries, OneDrive is not considered compliant with the GDPR. Furthermore, OneDrive terms and conditions grant Microsoft the right to use stored data, meaning GDPR-compliant data processing is not guaranteed.
Companies that use OneDrive for using or storing data from EU customers, employees or other stakeholders or partners, must provide the following information in their privacy policy:
- Why is OneDrive used for storing data?
- What is the legal basis for storing and processing the data?
- Has a contract for collecting, processing and using the data been made with Microsoft?
- How can individuals contest data collection and processing in OneDrive?
- Where can users find Microsoft’s regulations regarding data usage and protection?
Furthermore, in accordance with Article 28 of the GDPR, companies must also make a written contract with Microsoft for data processing, collection and use if data is stored in OneDrive for business purposes. The following aspects must be defined:
- What personal data does Microsoft receive?
- Why is the data being passed on to Microsoft?
- How long does Microsoft store the data?
- What rights, obligations and disclaimers apply?
Is OneDrive secure for business and compliance?
Microsoft takes a lot of precautions in making OneDrive secure for business data. Not only do they offer two-factor authentication, fully encrypt data in transit as well as in rest, and store data in multiple, highly secured data centres, they also monitor your account for suspicious activity and logins, and alert you of account tampering and possible malware attacks.
In order to improve security, Microsoft scans OneDrive uploads, such as documents and photos, for malware and illegal content. They don’t, however, give any further explanation on how they conduct such scans and analysis.
Even though Microsoft does a lot to secure data, there is also always the chance of human error. It’s important that your company establishes and promotes behaviour that ensures your company’s data is secure. All necessary OneDrive security settings should be enabled, and employees should be trained on privacy best practices. Below are some examples:
- Set up two-factor authentication and enable it by default
- Create a strong password with a random combination of numbers, symbols, and lowercase and capital letters. If possible, instruct your employees to change their passwords on a regular basis.
- Enable encryption if OneDrive mobile apps are used
- Be careful when granting access to documents, especially if you need to do this for people outside of your organization. Double-check emails, use permissions and check that the shared files and folders are the ones you want to share. OneDrive admins can further define default settings and reduce sharing rights for an added layer of security.
- Best practices for data safety should be easy to access and regularly updated
- Update OneDrive and malware systems regularly
Make sure to also include Microsoft’s clauses on how they process and use data as well as the links to documents explaining this in your privacy policy.
What are some alternatives to OneDrive?
If you still have doubts about Microsoft’s data protection measures, you could take a look at our overview of the most secure cloud storage providers. Providers with the highest level of data protection and GDPR-compliant server locations include IONOS with its secure HiDrive cloud storage, leitzcloud by vBoxx and Your Secure Cloud. There are plenty of OneDrive alternatives on the market. Conducting a comparison of cloud storages providers will give you an overview of the market and help you to choose the provider that fits your requirements best.